b'TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION\n\n\n\n\n                    Foreign Account Tax Compliance Act:\n                   Improvements Are Needed to Strengthen\n                    Systems Development Controls for the\n                   Foreign Financial Institution Registration\n                                   System\n\n\n\n                                      September 27, 2013\n\n                              Reference Number: 2013-20-118\n\n\n\n\n This report has cleared the Treasury Inspector General for Tax Administration disclosure review process\n  and information determined to be restricted from public release has been redacted from this document.\n\n\n\n Phone Number / 202-622-6500\n E-mail Address / TIGTACommunications@tigta.treas.gov\n Website        / http://www.treasury.gov/tigta\n\x0c                                                HIGHLIGHTS\n\n\nFOREIGN ACCOUNT TAX COMPLIANCE                      WHAT TIGTA FOUND\nACT: IMPROVEMENTS ARE NEEDED TO\n                                                    The IRS is developing the Foreign Financial\nSTRENGTHEN SYSTEMS                                  Institution Registration System within its new\nDEVELOPMENT CONTROLS FOR THE                        Enterprise Life Cycle Iterative Path systems\nFOREIGN FINANCIAL INSTITUTION                       development and testing process. The initial\nREGISTRATION SYSTEM                                 system release was substantially developed and\n                                                    nearing deployment when the IRS terminated\n\nHighlights\n                                                    the effort in November 2012. Following new\n                                                    Department of the Treasury regulations,\n                                                    changes with Intergovernmental Agreements,\nFinal Report issued on                              and new processes needed to implement the\nSeptember 27, 2013                                  FATCA, the IRS was unable to fully utilize the\n                                                    initial system. Subsequently, the IRS modified\nHighlights of Reference Number: 2013-20-118         and expanded the scope of the system\nto the Internal Revenue Service Chief               requirements. The major redesign and initiation\nTechnology Officer and the Commissioner,            of a new development effort was necessary\nLarge Business and International Division.          because the IRS did not sufficiently develop\n                                                    requirements for the initial Foreign Financial\nIMPACT ON TAXPAYERS                                 Institution Registration System as needed for\n                                                    new system development.\nThe development of the Foreign Financial\nInstitution Registration System allows the IRS to   While the IRS has taken steps to improve\nsupport requirements of the Foreign Account         management controls for this major information\nTax Compliance Act (FATCA) legislation. The         technology investment, additional improvements\nexpected benefits of this information technology    are needed to ensure consistent adherence to\nproject include the ability to: 1) effectively      risk mitigation processes for program\nregister Foreign Financial Institutions;            management, security control processes, testing\n2) increase annual enforcement revenue; and         documentation, and requirements management.\n3) support the IRS\xe2\x80\x99s new overall information\nreporting system for the FATCA. The successful      WHAT TIGTA RECOMMENDED\ndevelopment, deployment, and implementation         TIGTA recommended that the Chief Technology\nof the Foreign Financial Institution Registration   Officer and the Commissioner, Large Business\nSystem should significantly improve taxpayer        and International Division, timely identify and\ncompliance internationally and enhance IRS tax      communicate system changes for future FATCA\nadministration.                                     releases and ensure that the IRS consistently\nWHY TIGTA DID THE AUDIT                             documents and maintains test cases and\n                                                    test results. In addition, the Chief Technology\nThe overall objective of this review was to         Officer should ensure that adequate program\ndetermine whether the IRS\xe2\x80\x99s systems                 management controls are in place and\ndevelopment approach for the Foreign Financial      consistently followed to allow the IRS to\nInstitution Registration System is sufficiently     accomplish its FATCA goals and objectives.\nmitigating risks with the application of            Finally, the Chief Technology Officer should\ninformation technology management controls for      ensure that all system requirements\nsuccessful development and delivery of              documentation includes the requirements being\nrequirements and capabilities aimed at FATCA        tested and all security requirements, and that\nmilestones and goals. Specifically, TIGTA           corresponding test cases are identified and\nevaluated the IRS\xe2\x80\x99s key management controls         sufficiently traced, managed, and tested.\nand processes over program management,\nsecurity control processes, testing                 The IRS agreed with all six recommendations.\ndocumentation, requirements management, and         However, TIGTA believes that the action plans\nfraud detection controls.                           provided by the IRS for two of the\n                                                    recommendations were not fully responsive.\n\x0c                                            DEPARTMENT OF THE TREASURY\n                                                 WASHINGTON, D.C. 20220\n\n\n\n\nTREASURY INSPECTOR GENERAL\n  FOR TAX ADMINISTRATION\n\n\n\n\n                                          September 27, 2013\n\n\n MEMORANDUM FOR CHIEF TECHNOLOGY OFFICER\n                COMMISSIONER, LARGE BUSINESS AND INTERNATIONAL\n                DIVISION\n\n\n FROM:                       Michael E. McKenney\n                             Acting Deputy Inspector General for Audit\n\n SUBJECT:                    Final Audit Report \xe2\x80\x93 Foreign Account Tax Compliance Act:\n                             Improvements Are Needed to Strengthen Systems Development\n                             Controls for the Foreign Financial Institution Registration System\n                             (Audit # 201320015)\n\n This report presents the results of our review of the Foreign Financial Institution Registration\n System (FRS). The overall objective of this review was to determine whether the Internal\n Revenue Service\xe2\x80\x99s (IRS) systems development approach for the FRS is sufficiently mitigating\n risks with the application of information technology management controls for successful\n development and delivery of requirements and capabilities aimed at Foreign Account Tax\n Compliance Act milestones and goals. This audit is included in the Treasury Inspector General\n for Tax Administration Fiscal Year 2013 Annual Audit Plan and addresses several major\n management and performance challenges confronting the IRS including: Implementing the\n Affordable Care Act and Other Tax Law Changes; Globalization; and Security for Taxpayer\n Data and Employees.\n Management\xe2\x80\x99s complete response to the draft report is included as Appendix VI.\n Copies of this report are also being sent to the IRS managers affected by the report\n recommendations. If you have any questions, please contact me or Alan R. Duncan, Assistant\n Inspector General for Audit (Security and Information Technology Services).\n\x0c                         Foreign Account Tax Compliance Act: Improvements Are\n                        Needed to Strengthen Systems Development Controls for the\n                             Foreign Financial Institution Registration System\n\n\n\n\n                                            Table of Contents\n\nBackground .......................................................................................................... Page 1\n\nResults of Review ............................................................................................... Page 4\n          Program Management Controls Were Not Consistently\n          Followed During the Development of the First Release\n          of the Foreign Financial Institution Registration System ............................. Page 4\n                    Recommendation 1:........................................................ Page 8\n\n                    Recommendation 2:........................................................ Page 9\n\n          Security Controls Need Improvement to Ensure\n          Long-Term Success of the Foreign Financial Institution\n          Registration System ...................................................................................... Page 10\n                    Recommendation 3:........................................................ Page 10\n\n          Testing Documentation Procedures Need Improvement .............................. Page 11\n                    Recommendations 4 and 5: .............................................. Page 12\n\n          Requirements Management Controls Need Improvement ............................ Page 13\n                    Recommendation 6:........................................................ Page 13\n\n\nAppendices\n          Appendix I \xe2\x80\x93 Detailed Objective, Scope, and Methodology ........................ Page 15\n          Appendix II \xe2\x80\x93 Major Contributors to This Report ........................................ Page 17\n          Appendix III \xe2\x80\x93 Report Distribution List ....................................................... Page 18\n          Appendix IV \xe2\x80\x93 Outcome Measure ................................................................ Page 19\n          Appendix V \xe2\x80\x93 Glossary of Terms ................................................................. Page 20\n          Appendix VI \xe2\x80\x93 Management\xe2\x80\x99s Response to the Draft Report ...................... Page 23\n\x0c         Foreign Account Tax Compliance Act: Improvements Are\n        Needed to Strengthen Systems Development Controls for the\n             Foreign Financial Institution Registration System\n\n\n\n\n                       Abbreviations\n\nFATCA           Foreign Account Tax Compliance Act\nFI              Financial Institution\nFFI             Foreign Financial Institution\nFRS             Foreign Financial Institution Registration System\nIGA             Intergovernmental Agreement\nIRM             Internal Revenue Manual\nIRS             Internal Revenue Service\nIT              Information Technology\nLB&I            Large Business and International\nPMO             Program Management Office\nRTVM            Requirements Traceability Verification Matrix\nSAT             System Acceptability Testing\nSCA             Security Controls Assessment\n\x0c                     Foreign Account Tax Compliance Act: Improvements Are\n                    Needed to Strengthen Systems Development Controls for the\n                         Foreign Financial Institution Registration System\n\n\n\n\n                                            Background\n\nThe Foreign Account Tax Compliance Act (FATCA) is an important development in the efforts\nto improve U.S. tax compliance involving foreign financial assets and offshore accounts. The\nFATCA legislation was enacted in 2010 as part of the Hiring Incentives to Restore Employment\nAct.1 Changes required by the FATCA will: 1) combat tax evasion by U.S. persons holding\ninvestments in offshore accounts; 2) expand the Internal Revenue Service\xe2\x80\x99s (IRS) global\npresence; 3) pursue international tax and financial crimes; 4) fill a gap in the IRS\xe2\x80\x99s information\nreporting system; and 5) generate additional enforcement revenue. The Department of the\nTreasury issued the final FATCA regulations on January 28, 2013.\nThe FATCA legislation directly impacts three key groups: 1) taxpayers who meet the reporting\nrequirements threshold for foreign financial assets; 2) Foreign Financial Institutions (FFI) that\nreport to the IRS foreign financial account information exceeding certain thresholds held by U.S.\ntaxpayers; and 3) withholding agents2 who withhold a 30 percent tax on taxpayers who fail to\nproperly report their specified financial assets related to U.S. investments.\nPrior to the FATCA legislation, the IRS did not have an international system to detect tax\nevasion by U.S. persons holding investments in FFIs,\nincluding foreign financial assets or offshore accounts. The Prior to the FATCA legislation,\nIRS is developing a new international system called the FFI       the IRS did not have an\nRegistration System (FRS) to support the requirements of          international system to\nthe FATCA legislation. The FFIs will register and then          detect offshore tax evasion.\nprovide offshore account information that is reported\nthrough the FRS. The new system is a major information\ntechnology investment3 for the IRS. The FRS is the first of the FATCA systems development\nprojects planned through Fiscal Year 2017. The first release includes requirements for Drop 1\nand Drop 2.4 FRS users include registered officers of the FFIs and IRS employees. Figure 1\npresents a timeline for key FATCA legislative and FRS development activities.\n\n\n\n\n1\n  Pub. L. No. 111-147, 124 Stat. 71 (2010).\n2\n  See Appendix V for a glossary of terms.\n3\n  Internal Revenue Manual 2.16.1.3.4.2, (April 25, 2012) defines a major information technology investment as\nhaving an annual cost of more than $5 million per year and a total life cycle cost of greater than $50 million.\n4\n  Drop 1 is the FRS functionality for FFI user requirements for Release 1.1. The FRS Drop 1 was originally\nscheduled to deploy on July 1, 2013. Drop 2 is the FRS functionality for IRS user requirements for Release 1.1.\n\n\n                                                                                                           Page 1\n\x0c                        Foreign Account Tax Compliance Act: Improvements Are\n                       Needed to Strengthen Systems Development Controls for the\n                            Foreign Financial Institution Registration System\n\n\n\n         Figure 1: Timeline - FATCA Legislative and FRS Development Activities\n           FATCA Legislative/FRS Development Activity                                  Date\n        FATCA Legislation Enacted                                          March 18, 2010\n        FRS Project Started System Development                             April 25, 2011\n        FATCA Project Kickoff Meeting                                      July 19, 2011\n        FRS Release 1.0 Milestones 1/2 Exit                                September 15, 2011\n        FRS Release 1.0 Milestones 3/4a/4b Start                           September 16, 2011\n        Proposed FATCA Regulations Issued                                  February 8, 2012\n        FATCA Governance Board Approved Creation of                        September 13, 2012\n        Information Technology (IT) FRS Project\n        Management Office\n        Intergovernmental Agreement (IGA) Scope Changes                    November 2, 2012\n        Identified\n        FRS Release 1.0 Terminated5                                        November 5, 2012\n        FRS Release 1.1 Redesigned                                         January 7, 2013\n        Final FATCA Regulations Issued                                     January 28, 2013\n        FATCA Governance Board Approved Scope and                          January 31, 2013\n        Schedule Changes to Develop Release 1.1\n        FRS Release 1.1 Drop 1 Scheduled Deployment6                       July 14, 2013\n        FATCA IT Program Management Office (PMO)                           August 2013\n        Stand-up\n        FRS Release 1.1 Drop 2 Scheduled                                   November 2013\n        FFIs Deadline to Register on the FRS                               April 25, 2014\n        IRS Publishes First Participating FFI List                         June 2, 2014\n        Withholding Begins on All U.S. Payments                            July 1, 2014\n        Source: Treasury Inspector General for Tax Administration analysis, dated August 7, 2013.\n\nThe objective of our audit was to determine whether the IRS\xe2\x80\x99s systems development approach\nfor the FRS is sufficiently mitigating risks with the application of information technology\n\n\n\n5\n    FRS Release 1.1 thereafter leveraged the work performed in and associated with deliverables from Release 1.0.\n6\n    IRS furlough days and testing delays pushed the Drop 1 deployment back two weeks.\n\n\n                                                                                                             Page 2\n\x0c                  Foreign Account Tax Compliance Act: Improvements Are\n                 Needed to Strengthen Systems Development Controls for the\n                      Foreign Financial Institution Registration System\n\n\n\nmanagement controls for successful development and delivery of requirements and capabilities\naimed at FATCA milestones and goals.\nThis review was performed at the Large Business and International (LB&I) Division offices in\nWashington, D.C., and the IT Organization offices at the New Carrollton Federal Building in\nLanham, Maryland, during the period January through July 2013. We conducted this\nperformance audit in accordance with generally accepted government auditing standards. Those\nstandards require that we plan and perform the audit to obtain sufficient, appropriate evidence to\nprovide a reasonable basis for our findings and conclusions based on our audit objective. We\nbelieve that the evidence obtained provides a reasonable basis for our findings and conclusions\nbased on our audit objective. Detailed information on our audit objective, scope, and\nmethodology is presented in Appendix I. Major contributors to the report are listed in\nAppendix II.\n\n\n\n\n                                                                                            Page 3\n\x0c                  Foreign Account Tax Compliance Act: Improvements Are\n                 Needed to Strengthen Systems Development Controls for the\n                      Foreign Financial Institution Registration System\n\n\n\n\n                                Results of Review\n\nProgram Management Controls Were Not Consistently Followed\nDuring the Development of the First Release of the Foreign Financial\nInstitution Registration System\nThe IRS is developing the FRS within its new Enterprise Life Cycle Iterative Path systems\ndevelopment and testing process. The initial system release was substantially developed and\nnearing deployment when the IRS terminated the effort in November 2012. Following new\nDepartment of the Treasury regulations, changes with IGAs, and new processes needed to\nimplement the FATCA, the IRS was unable to fully utilize the initial system. Subsequently, the\nIRS modified and expanded the scope of the system requirements. The major redesign and\ninitiation of a new development effort was necessary because the IRS did not sufficiently\ndevelop requirements for the initial FRS as needed for new system development. While the IRS\nhas taken steps to improve management controls for this major information technology\ninvestment, additional improvements are needed to ensure consistent adherence to risk mitigation\nprocesses for program management, security control processes, testing documentation, and\nrequirements management.\n\nThe first release of the FRS was substantially developed and nearing deployment\nThe FRS is needed to register FFIs to assist in achieving the primary objective of the FATCA\nlegislation, which is the disclosure of U.S. taxpayer foreign accounts. By November 2012, the\nIRS had made a significant investment in developing Release 1.0 of the FRS and was one month\naway from deployment of a major software release.\nThe FFI registration process is electronic through the FRS; however, online registration is not\nmandatory and a paper process is currently available. The IRS informed us that after the planned\ninitial 12-month registration period, FFI registration will be an ongoing function. The IRS also\nestimated that 200,000 to 400,000 FFIs, expected to be foreign entities, will register through the\nFRS. Once FFIs are registered, they will be asked to provide identifying information for certain\nU.S. accounts maintained by the institution such as account number, balance, gross receipts, and\nwithdrawals. Figure 2 highlights examples of key capabilities and features developed for FRS\nRelease 1.0.\n\n\n\n\n                                                                                           Page 4\n\x0c                        Foreign Account Tax Compliance Act: Improvements Are\n                       Needed to Strengthen Systems Development Controls for the\n                            Foreign Financial Institution Registration System\n\n\n\n          Figure 2: Examples of Key Capabilities and Features of FRS Release 1.0\n                       Capabilities                                                  Features\n    The FRS is a modern web-based application with            The FRS provides flexibility for FIs to report on\n    24/7 accessibility. Specifically, it:                     and manage information throughout their\n    \xef\x83\x98 Allows Financial Institution (FI) users to              corporate structure (branch and members).\n      establish an online account, including the              Specifically, the system:\n      ability to choose a password and create                 \xef\x83\x98 Generates automatic notifications when an FI\n      challenge questions.                                      status changes.\n    \xef\x83\x98 Displays a customized home page for FIs to              \xef\x83\x98 Implements a universal numbering system\n      manage their accounts.                                    (Global Intermediary Identification Number)\n    \xef\x83\x98 Ensures security for all data provided on                 that can be used by local taxing authorities.\n      behalf of FIs.                                          \xef\x83\x98 Allows FIs to appoint delegates (points of\n    \xef\x83\x98 Provides FIs with tools to oversee member                 contact) to perform registration tasks.\n      and/or branch information.\n    \xef\x83\x98 Establishes a streamlined environment for FIs\n      to register in one place.\nSource: FRS overview presented by the IRS to the Treasury Inspector General for Tax Administration on February 21, 2013.\n\nThe FRS project team has followed the IRS Enterprise Life Cycle Iterative Path provisions for\nsystems development projects.7 For example, planned project scope and activities were detailed\nin a Project Management Plan and a Work Breakdown Structure, and regular oversight of project\nprogress was accomplished during monthly Information Technology Project Control Reviews.\nIn addition, the Project Management Plan identified dependencies for the development of the\nFRS.\n\nRelease 1.0 was approaching the scheduled deployment date when the IRS\nterminated it\nIn November 2012, approximately one month before the initial FRS was scheduled to be\ndeployed, IRS executives terminated Release 1.0. The IRS provided the following reasons for\ntermination of Release 1.0 and the redesign of the FRS:\n      \xef\x82\xb7    The FATCA regulations took more than 11 months to be finalized. During this time, the\n           IRS was developing Release 1.0 of the FRS. After the final regulations were issued in\n           January 2013, the IRS identified requirements in the regulations that were not part of the\n           design of Release 1.0.\n      \xef\x82\xb7    Department of the Treasury negotiations on IGAs with different countries identified\n           changes for the FFIs responsibilities in the registration process.\n\n\n7\n    The Enterprise Life Cycle Iterative Path received IRS executive approval on September 12, 2011.\n\n\n                                                                                                                   Page 5\n\x0c                      Foreign Account Tax Compliance Act: Improvements Are\n                     Needed to Strengthen Systems Development Controls for the\n                          Foreign Financial Institution Registration System\n\n\n\n    \xef\x82\xb7    The Release 1.0 requirements did not meet the complexities of these registration changes;\n         therefore, the IRS decided to terminate Release 1.0. In order to incorporate the\n         requirements from the regulations and the IGA changes, the IRS began developing\n         Release 1.1.\n    \xef\x82\xb7    As FATCA processes were developed, the IRS determined the need to create a unique\n         identifier for the FFIs that successfully register. This unique identifier must be present on\n         the IRS Participating FFI list to inform withholding agents of an FFI\xe2\x80\x99s FATCA status and\n         to track an FFI\xe2\x80\x99s U.S. account reporting.\nThe IRS also informed us that FRS scope changes were necessary due to the following changes\nin the IGAs:\n    \xef\x82\xb7    IGA negotiations with foreign countries resulted in the proposal of an alternative\n         framework for implementing the FATCA.\n    \xef\x82\xb7    Two Reporting Models were decided upon: Model 18 and Model 2.9\n    \xef\x82\xb7    Reciprocal10 and Non-Reciprocal Versions of Model 1 were decided upon. In the case of\n         a reciprocal Model 1 IGA, the IRS agrees to provide the country with reciprocal\n         information on foreign citizens from their jurisdictions who have U.S. accounts.\n    \xef\x82\xb7    Competent Authority Agreements11 would be entered into to further implement the IGAs.\nTo address the issues encountered while developing Release 1.0, FATCA management plans to\nestablish a new IT Organization PMO in Applications Development within the Fiscal Year 2013\ntime frame. Going forward with the FRS, it is important that the IRS address and build on the\nfollowing critical lessons learned12 from Release 1.0, including:\n    \xef\x82\xb7    Defining the requirements in their entirety with as much detail as possible and as early as\n         possible is crucial to meet the scheduled drop date.\n\n\n\n8\n  Model 1: The Treaty Partner country agrees to provide the IRS with FATCA-specific data on U.S. accounts in its\ncountry via the exchange of information. FFIs in the Treaty Partner country report to the Tax Authority, not directly\nto the IRS.\n9\n  Model 2: FFIs in the Treaty Partner country report U.S. taxpayer account information directly to the IRS, rather\nthan going through their Tax Authority; certain additional information, such as details on recalcitrant account\nholders, will be reported through the Tax Authority.\n10\n   The reciprocal version of the IGA provides for the United States to exchange information currently collected on\naccounts held in U.S. financial institutions by residents of partner countries, and includes a policy commitment to\npursue regulations and support legislation that would provide for equivalent levels of exchange by the United States.\n11\n   A Competent Authority Agreement is an agreement between persons or organizations (e.g., foreign countries) that\nhave the legally delegated or invested authority, capacity, or power to perform designated functions.\n12\n   The IRS provided a list of 15 lessons learned from the termination of Release 1.0.\n\n\n                                                                                                             Page 6\n\x0c                   Foreign Account Tax Compliance Act: Improvements Are\n                  Needed to Strengthen Systems Development Controls for the\n                       Foreign Financial Institution Registration System\n\n\n\n   \xef\x82\xb7   Working with the System Acceptability Testing (SAT) and Security Controls Assessment\n       (SCA) teams to identify their needs and address them in advance.\n   \xef\x82\xb7   Working on the requirements and baselining them as early as possible in order to speed\n       up the development process.\n   \xef\x82\xb7   Identifying much earlier the Business Objects Enterprise reports, requirements,\n       calculation fields, and system deployment reports for the drop.\nDuring our review, we determined program management control processes did not timely\nidentify and communicate system design changes to ensure the successful development of the\nFRS. Beginning in April 2011, the FATCA PMO comprised of LB&I Division and IT\npersonnel, began development of FRS Release 1.0.\nMajor revisions of the FATCA business requirements began in late 2012 following delays with\nfinalization of the FATCA regulations and the IGA negotiations that occurred outside of IRS\xe2\x80\x99s\ncontrol. These revisions were needed to expand and modify the FRS scope to address key policy\nissues, and to modify, add, or delete existing system requirements. The IRS provided\ndocumentation that, in September 2012, they became aware that the program scope was\nexpanding. During that time frame, the IRS also initiated the creation of a new IT Organization\nPMO to help mitigate FATCA system development risks.\nIn November 2012, Release 1.0, originally scheduled for production in December 2012, was\nterminated. In December 2012, the IRS began revisiting the work it completed prior to resuming\nwork to design FRS Release 1.1 (two drops) in January 2013, and integrating various portions of\nthe Enterprise Life Cycle artifacts from Release 1.0. The first system delivery (referred to as\nDrop 1) of Release 1.1\xe2\x80\x99s planned two drops was originally scheduled to deploy on July 1, 2013,\nbut was pushed back to July 29, 2013. On July 30, 2013, IRS management confirmed that\nDrop 1 for Release 1.1 was deployed.\n                                     The IRS spent $8.6 million and took 19 months to develop\n                                     FRS Release 1.0 before the effort was terminated. The IRS\n    The IRS spent $8.6 million\n      and took 19 months to          informed us that it was able to include most of the\n     develop FRS Release 1.0         functionality developed for Release 1.0 in Release 1.1. The\n       that was terminated.          IRS originally planned to spend a total of $14.4 million to\n                                     develop and deploy the FRS. However, the current cost\n                                     estimate to deploy the system in Release 1.1 is $8.0 million.\nThis $8.0 million in addition to the $8.6 million already spent on Release 1.0 results in a\ntotal cost of $16.6 million for the FRS. Based on current estimated costs for Release 1.1\n($16.6 million) compared to the planned cost for Release 1.0 ($14.4 million), we identified the\npotential inefficient use of resources to be $2.2 million. See Appendix IV for details on this\noutcome.\n\n\n\n                                                                                            Page 7\n\x0c                  Foreign Account Tax Compliance Act: Improvements Are\n                 Needed to Strengthen Systems Development Controls for the\n                      Foreign Financial Institution Registration System\n\n\n\nProgram management control processes were not consistently followed to\nensure the successful development of the FRS\nDuring our review, we determined that program management controls were not consistently\nfollowed to ensure the successful development of the FRS. Beginning with an initial FRS\nProject Kickoff meeting in July 2011, LB&I Division worked with the IT Organization and led\nthe development efforts for the FRS.\nTo develop successful new information technology systems needed for the FATCA, the IRS\nmust plan, monitor, and control the work specified by the system life cycle. This should include\nthe adequate formation and management of information technology projects.\nIn September 2012, the FATCA Governance Board approved the creation of a FATCA IT\nOrganization PMO to execute, monitor, and control all FATCA information technology projects\nthrough Fiscal Year 2017.\nThe IRS is taking steps to establish an IT Organization PMO to lead FATCA systems\ndevelopment including the FRS Release 1.1 activities. The acting program director for the\ncurrent PMO does not yet have staff assigned for program management activities. Further, the\nIT Organizations PMO for FATCA systems relied on resources provided by a separate\nApplications Development organization. IRS officials informed us that initialization of the\nplanned IT Organization PMO has been delayed due to budget constraints. While the FRS is\ncurrently the only FATCA Program project under development, other information technology\nprojects are planned for development through Fiscal Year 2017.\nInadequate controls over key system development risk areas, as subsequently discussed, puts the\nsystem at risk of not functioning as intended once it is moved into production. Without effective\nprogram management controls, the IRS lacks assurance that current and future FATCA projects\nwill be adequately managed to ensure long-term success. Strengthening the existing IT PMO for\nthe FATCA would better enable the IRS to maintain adequate systems development risk\nmitigation controls including system requirements management, key test processes and\ndocumentation, and information technology costs estimates and schedules.\n\nRecommendations\nRecommendation 1: The Chief Technology Officer and the Commissioner, LB&I Division,\nshould ensure that the FATCA Organization PMO and FATCA information technology\nmanagement timely identify and communicate system changes to minimize costs and reduce\nwaste for future information technology development projects.\n       Management Response: The IRS agreed with this recommendation and stated that it\n       will ensure that the LB&I Division and the IT PMO will continue to work very closely to\n       ensure that they timely identify and communicate system changes to minimize costs and\n       reduce waste for future information technology development projects. Also, in the\n\n                                                                                          Page 8\n\x0c                  Foreign Account Tax Compliance Act: Improvements Are\n                 Needed to Strengthen Systems Development Controls for the\n                      Foreign Financial Institution Registration System\n\n\n\n       written response, the Chief Technology Officer disagreed with our conclusion that a\n       major redesign of the system was necessary due to the IRS not sufficiently developing\n       requirements and, hence, the title of our audit report.\n       Office of Audit Comment: In the IRS\xe2\x80\x99s response to the draft report, the Chief\n       Technology Officer takes exception with our conclusion that a major redesign of the\n       system was necessary due to the IRS not sufficiently developing requirements. Our audit\n       found, however, that major additional work was required in Release 1.1 because of the\n       significant increase in the number of requirements from the time Release 1.0 was\n       terminated through the completion of the Release 1.1 requirements development.\n       The Chief Technology Officer also disagreed with our conclusion that adequate program\n       controls improvements are necessary. During our audit closing discussion with IRS\n       management, we discussed our concerns about specific management controls needed for\n       major information technology investments. Specifically, we informed the IRS and we\n       maintain that FATCA requirements should be considered in an Enterprise Architecture.\n       Consideration to goals and milestones for the FATCA within the IRS\xe2\x80\x99s Enterprise\n       Architecture would better enable the LB&I Division and the IT Organization PMO to\n       work more effectively and efficiently going forward to strengthen program management\n       controls and guide major information technology planning and investments. Moreover,\n       this important management control could better enable the IRS to avoid unnecessary\n       costs and delays with IT development projects required for the FATCA.\n       In its written comments, the IRS also informed us that the FRS Release 1.1 Drop 2\n       deployment date is November 2013. We have made the necessary change to this date in\n       our final report.\nRecommendation 2: The Chief Technology Officer should ensure that adequate program\nmanagement controls are in place and are consistently followed to guide the future system\ndevelopment activities needed for the FATCA and to better position the IRS to accomplish its\ngoals for improving the benefits of its FATCA goals and objectives.\n       Management Response: The IRS agreed with this recommendation and the FATCA\n       Program Management Plan will be approved by the FATCA Governance Board. The\n       plan will ensure that adequate program management controls are in place and will guide\n       future system development activities.\n\n\n\n\n                                                                                        Page 9\n\x0c                   Foreign Account Tax Compliance Act: Improvements Are\n                  Needed to Strengthen Systems Development Controls for the\n                       Foreign Financial Institution Registration System\n\n\n\nSecurity Controls Need Improvement to Ensure Long-Term Success\nof the Foreign Financial Institution Registration System\n\nThe SCA Security Test Plan was not completed\nThe IRS must ensure that the FRS operates with appropriate management review and that there\nis adequate monitoring of system security controls. Specifically, the Security Assessment and\nAuthorization process involves completing the SCA Security Test Plan. However, the FRS plan\nwill not be available until mid-September 2013, when all SCA testing is completed for both\nDrops 1 and 2 of Release 1.1. We observed the SCA testing held in July 2013 and believe that\nthe SCA testing results for Drop 1 should be in the plan before Drop 1 is deployed.\nThis process is an important risk mitigation control for ensuring that all test cases are traced to\nspecific security requirements. By not including the SCA testing results for Drop 1, the IRS may\nbe unable to adequately determine whether:\n   \xef\x82\xb7   The SCA Test Plan included adequate security controls prior to deployment of the FRS.\n   \xef\x82\xb7   The security controls aligned with the National Institute of Standards and Technology\n       guidance, IRS requirements and testing manuals, and other applicable standards.\n   \xef\x82\xb7   The SCA Test Plan contained test cases that tested all the security requirements.\n   \xef\x82\xb7   The test cases were mapped to the security controls.\n\nFailed security controls identified by SCA testing require corrective actions prior\nto system implementation\nDuring our fieldwork, we also observed that SCA testers did not have the documentation to\nverify that testing of controls was completed from SA-10 developers\xe2\x80\x99 configuration testing and\nSA-11 developers\xe2\x80\x99 security testing at the beginning of the SCA testing. The SA-10 and SA-11\ndocumentation was eventually provided during the SCA testing period. While the SA-10 test\ncases were passed, one SA-11 test case was failed.\nCybersecurity management needs to ensure that the SA-11 security control is adequately tested\naccording to established National Institute of Standards and Technology and IRM guidelines.\nWithout assurance that this control is in place, the FRS may not operate as intended.\n\nRecommendation\nRecommendation 3: The Chief Technology Officer should ensure that the SCA Test Plan\nand Developer Security Test and Evaluation Plan are prepared so that all security requirements,\nsecurity controls, and test cases are identified, traced, and tested, and all security testing is\nperformed before deployment of Drop 1 to ensure that the FRS operates as intended.\n\n                                                                                           Page 10\n\x0c                      Foreign Account Tax Compliance Act: Improvements Are\n                     Needed to Strengthen Systems Development Controls for the\n                          Foreign Financial Institution Registration System\n\n\n\n         Management Response: The IRS agreed with this recommendation and stated that\n         the FATCA PMO will improve oversight of security requirements and associated testing\n         by first identifying security testing gaps in the Lessons Learned Report. In addition, the\n         FATCA PMO will ensure that developer testing activities are included in the FRS Drop 2\n         schedule.\n\nTesting Documentation Procedures Need Improvement\nFor successful systems development, it is important that test cases are created to test specific\nconditions. IRS systems development guidelines are in place for developing and tracing\nrequirements to test cases.13 The documentation for these risk mitigation processes should\ndemonstrate that the requirements were adequately tested in order to validate that the FRS is\nfunctioning as intended. In addition, each test case must utilize specific test data that are\ndeveloped or acquired to verify that all required conditions are met.\nOn May 14 and 15, 2013, during the SAT for the FRS, we found the SAT testers and the\nBusiness Office Environment testers were inconsistently following testing procedures to\ndocument their test cases.\n     \xef\x82\xb7   First observation: The SAT testers are required to document their test cases in a\n         spreadsheet that includes the test script, the requirements being tested, the expected\n         results, and the actual results. The Business Office Environment testers provided very\n         limited test steps and had no documentation available for these steps. It is important that\n         project-generated test artifacts or work products, such as test plans, test scripts, test cases,\n         test reports, and measurements be recorded and maintained in an approved repository.\n     \xef\x82\xb7   Second observation: In one case, the SAT tester shared plans to create a new test case\n         from an error in a script instead of failing the test case and retesting it. This condition\n         highlighted a risk of the possibility of testers independently writing their own tests. To\n         ensure the integrity of the testing process, the individual who writes the test case should\n         not be the same person testing the case. Specifically, it is important that the test team14\n         review and analyze the requirements, create test cases/scripts, execute the test cases, and\n         document the results in an approved traceable repository. This risk mitigation control is\n\n\n13\n   Internal Revenue Manual (IRM) 2.110, Requirements Engineering, Requirements Engineering Process, (February\n1, 2013) provides guidelines for developing requirements, while IRM 2.127, Software Testing Standards and\nProcedures, (May 15, 2013) provides guidelines for tracing the requirements to the test cases and executing the test\ncases. IRM 2.127.1.2 states that test cases are created to document specific conditions to be tested.\n14\n   IRM 2.127.2.1.5.3, IT Test Preparation Procedure, (May 15, 2013) provides the activity steps to verify the test\nenvironment review documentation; prepare test cases, scripts, and data; and conduct a test readiness review. IRM\n2.127.2.1.6.3, IT Test Execution Procedure, (May 15, 2013) provides the activity steps to execute test cases/scripts,\ndocument results, and report the test status.\n\n\n                                                                                                           Page 11\n\x0c                   Foreign Account Tax Compliance Act: Improvements Are\n                  Needed to Strengthen Systems Development Controls for the\n                       Foreign Financial Institution Registration System\n\n\n\n       not in place if testers are permitted to independently create and execute their own test\n       cases during the testing process.\nThe IRS issued new testing procedures in May 2013 stating that:\n       The objective is to have everyone using the same tools and techniques and follow\n       the same repeatable steps so that the organization can quantify how well the\n       procedure is working and train future staff members who may not currently know\n       the routine. Ensuring consistency is a critical component for ensuring optimum\n       efficiency.\nThe FRS testing conditions that we observed, however, reflect inconsistencies in testing\ndocumentation procedures for the SAT testers and the Business Office Environment testers.\nFurther, the IRS acknowledged in a June 2013 Risk Detail Report for the FRS that Performance\nTesting was scheduled to end June 7, 2013; however it has been delayed due to errors\xe2\x80\xa6in the\nSAT environment. Based on our review, we concluded one or more of the errors identified\nduring the SAT testing may have been caused by a database programming error not detected by\nthe SAT testers.\n\nRecommendations\nRecommendation 4: The Chief Technology Officer should ensure that all testing groups\nfollow the recently established Internal Revenue Manual (IRM) procedures for documenting test\ncases for consistency in testing requirements and in detecting and correcting errors to ensure that\nthe FRS meets all of its requirements as needed.\n       Management Response: The IRS agreed with this recommendation and stated that\n       testing groups will continue to follow the recently established IRM procedures for\n       documenting test cases to maintain consistency in testing requirements and in detecting\n       and correcting errors to ensure that FRS meets all of its requirements as needed.\nRecommendation 5: The Commissioner, LB&I Division should establish IRM procedures\nfor all testing groups to ensure that documentation of test cases is consistent with and supports\nthe IT Organization requirements testing process.\n       Management Response: The IRS agreed with this recommendation and stated that\n       the LB&I Division will meet with IT Organization professionals with subject matter\n       expertise to ensure that documentation of test cases is consistent with and supports the IT\n       Organization\xe2\x80\x99s requirements testing processes. Applicable IRMs will be modified as\n       appropriate.\n\n\n\n\n                                                                                            Page 12\n\x0c                  Foreign Account Tax Compliance Act: Improvements Are\n                 Needed to Strengthen Systems Development Controls for the\n                      Foreign Financial Institution Registration System\n\n\n\nRequirements Management Controls Need Improvement\nOn April 4, 2013, the IRS informed us that there were a total of 1,409 requirements for the FRS\nRelease 1.1. The IRS subsequently provided us with the April 30, 2013, Requirements\nTraceability Verification Matrix (RTVM) for Drop 1 which had 892 requirements listed. The\nIRS explained the difference between the 1,409 requirements and the 892 requirements in the\nApril 30, 2013, RTVM were the requirements for Drop 2. Although we agree that the\nApril 30, 2013, RTVM was for Drop 1 SAT testing, that version of the RTVM still had\napproximately 100 out-of-scope Drop 2 requirements listed.\nWe observed SAT testing in May 2013. We subsequently reviewed the test cases and found\nrequirements that could not be traced back to the April 30, 2013, RTVM. The IRS explained that\nthe RTVM was not brought up-to-date until during-and-after Drop 1 SAT testing was completed.\nWe concluded that the Enterprise Systems Testing team did not have an up-to-date RTVM in\nplace to ensure complete traceability between the FRS requirements and test cases. This process\nis an important risk mitigation control for ensuring that all test cases are traced to specific\nrequirements. Otherwise, incomplete, missing, or invalid requirements could lead to an adverse\nimpact on the functionality of the FRS or jeopardize the successful implementation of future\nFATCA systems.\n\nRecommendation\nRecommendation 6: The Chief Technology Officer should ensure that IRM guidelines are\nfollowed so that the RTVM is established at the beginning of the testing life cycle and updated\nand maintained throughout the requirements management and testing processes, and that the\nRTVM is utilized on a regular basis to ensure that all FRS and future FATCA system\nrequirements are included in test cases and tested.\n       Management Response: The IRS agreed with this recommendation and currently\n       ensures that IRM guidelines are followed so that the RTVM is established at the\n       beginning of the testing life cycle and updated and maintained throughout the\n       requirements management and testing processes. In addition, the IRS makes certain that\n       the RTVM is utilized on a regular basis to ensure that all FRS and future FATCA\n       requirements are included in test cases and tested.\n       Office of Audit Comment: While the Chief Technology Officer agreed with our\n       recommendation that IRM guidelines should be followed, during our audit we observed\n       that the RTVM had a significant number of requirements that were not in-scope for the\n       SAT testing. Our concern is that, although the recent changes in IRS guidelines allow for\n       updates to the RTVM throughout the requirements management and testing processes, at\n       the outset of and during the test, the RTVM should contain specific requirements for the\n\n\n                                                                                         Page 13\n\x0c           Foreign Account Tax Compliance Act: Improvements Are\n          Needed to Strengthen Systems Development Controls for the\n               Foreign Financial Institution Registration System\n\n\n\ntest cases. We maintain that improved controls are needed to ensure that all requirements\ntrace to test cases.\nIn future reviews of systems development activities for the FATCA, we will continue to\nconsider the adequacy of the new IRM guidelines for RTVM development and\nimplementation. Also, the program-level RTVM should be maintained throughout the\nrequirements management and testing processes to ensure complete functionality of the\nFRS and long-term successful implementation of the FATCA Program. We believe that\nthe IRS\xe2\x80\x99s corrective action as provided is non-responsive to our recommendation because\nit does not address the need for appropriate, in-scope requirements to be established and\ndocumented in the RTVM at the beginning of the testing life cycle.\n\n\n\n\n                                                                                 Page 14\n\x0c                         Foreign Account Tax Compliance Act: Improvements Are\n                        Needed to Strengthen Systems Development Controls for the\n                             Foreign Financial Institution Registration System\n\n\n\n                                                                                                      Appendix I\n\n            Detailed Objective, Scope, and Methodology\n\nOur overall objective was to determine whether the IRS\xe2\x80\x99s systems development approach for the\nFRS is sufficiently mitigating risks with the application of information technology management\ncontrols for successful development and delivery of requirements and capabilities aimed at\nFATCA milestones and goals. To accomplish our objective, we:\nI.         Determined whether key systems development controls were in place within the IRS\xe2\x80\x99s\n           Enterprise Life Cycle Iterative Path1 methodology for the FRS in accordance with\n           Department of the Treasury, Office of Management and Budget, the IRM, and other\n           applicable guidance.\n           A. Determined whether FRS risks were properly identified, monitored, and mitigated in\n              accordance with applicable guidance.\n                1. Judgmentally2 selected eight of 21 risks with a Risk Identification Date from\n                   March 1, 2012, up to the May 23, 2013, FATCA Risk Detail Report. The sample\n                   of eight risks: a) had a status of Red; b) did not have a status of Withdrawn; and\n                   c) were inside the scope of FATCA Release 1.1, Drop 1.\n                2. Re-performed the risk analysis on the judgmentally selected sample from\n                   Step I.A.1. to determine whether we agree with the IRS\xe2\x80\x99s conclusion for each\n                   risk.\n           B. Determined whether the IRS is adequately managing the requirements and change\n              management risks and system testing activities for the FRS to effectively address the\n              requirements of the FATCA legislation in accordance with applicable guidance.\nII.        Considered whether the IRS was effectively estimating and tracking budgeted and actual\n           costs, performance goals, and key milestones for the FRS in accordance with Department\n           of the Treasury, Office of Management and Budget, IRM, and other applicable financial\n           management guidance.\n           A. Identified the FRS\xe2\x80\x99s budget and planned life cycle costs and determined whether\n              controls were in place to effectively manage these costs.\n\n\n\n1\n    See Appendix V for a glossary of terms.\n2\n    A judgmental sample is a non-statistical sample, the results of which cannot be used to project to the population.\n\n\n                                                                                                               Page 15\n\x0c                  Foreign Account Tax Compliance Act: Improvements Are\n                 Needed to Strengthen Systems Development Controls for the\n                      Foreign Financial Institution Registration System\n\n\n\n       B. Identified the FRS\xe2\x80\x99s actual life cycle costs and determined if they are being\n          effectively managed.\nIII.   Determined whether required systems security controls have been sufficiently planned\n       and addressed in the design of the FRS and whether systems security testing activities are\n       adequate for ensuring the protection of FFIs\xe2\x80\x99 Personally Identifiable Information and\n       other sensitive data in accordance with Department of the Treasury, Office of\n       Management and Budget, IRM, and National Institute of Standards and Technology\n       guidance, as well as other applicable guidance.\n       A. Determined if required security controls are designed into the FRS.\n       B. Determined if Personally Identifiable Information is part of the FRS.\n       C. Determined if fraud detection controls are being designed into the FRS.\nInternal controls methodology\nInternal controls relate to management\xe2\x80\x99s plans, methods, and procedures used to meet their\nmission, goals, and objectives. Internal controls include the processes and procedures for\nplanning, organizing, directing, and controlling program operations. They include the systems\nfor measuring, reporting, and monitoring program performance. We determined the following\ninternal controls were relevant to our audit objective: IRM and related IRS guidelines and the\nprocesses followed in the development of information technology projects. We evaluated these\ncontrols by conducting interviews with management and staff, observing testing activities, and\nreviewing documentation. Documents reviewed include the FATCA Project Management Plan,\nthe FATCA Program Configuration Management Plan, and other documents that provided\nevidence of whether the IRS is adequately managing systems development risks for the FATCA\nProject.\n\n\n\n\n                                                                                          Page 16\n\x0c                 Foreign Account Tax Compliance Act: Improvements Are\n                Needed to Strengthen Systems Development Controls for the\n                     Foreign Financial Institution Registration System\n\n\n\n                                                                              Appendix II\n\n                 Major Contributors to This Report\n\nAlan Duncan, Assistant Inspector General for Audit (Security and Information Technology\nServices)\nGwendolyn McGowan, Director, Systems Modernization and Applications Development\nSuzanne Westcott, Audit Manager\nMark Carder, Lead Auditor\nCindy Harris, Senior Auditor\nLynn Ross, Senior Auditor\n\n\n\n\n                                                                                     Page 17\n\x0c                 Foreign Account Tax Compliance Act: Improvements Are\n                Needed to Strengthen Systems Development Controls for the\n                     Foreign Financial Institution Registration System\n\n\n\n                                                                       Appendix III\n\n                         Report Distribution List\n\nActing Commissioner\nOffice of the Commissioner \xe2\x80\x93 Attn: Chief of Staff C\nDeputy Commissioner for Operations Support OS\nDeputy Commissioner for Services and Enforcement SE\nDeputy Commissioner, Large Business and International Division SE:LB\nDeputy Commissioner (International) Executive Assistant SE:LB:IN\nDeputy Chief Information Officer for Operations OS:CTO\nDirector, Privacy, Governmental Liaison and Disclosure OS:P\nAssociate CIO, Applications Development OS:CTO:AD\nAssociate CIO, Cybersecurity OS:CTO:C\nDirector, Risk Management Division OS:CTO:SP:RM\nChief Counsel CC\nNational Taxpayer Advocate TA\nDirector, Office of Legislative Affairs CL:LA\nDirector, Office of Program Evaluation and Risk Analysis RAS:O\nOffice of Internal Control OS:CFO:CPIC:IC\nAudit Liaison: Director, Risk Management Division OS:CTO:SP:RM\n\n\n\n\n                                                                             Page 18\n\x0c                        Foreign Account Tax Compliance Act: Improvements Are\n                       Needed to Strengthen Systems Development Controls for the\n                            Foreign Financial Institution Registration System\n\n\n\n                                                                                                                   Appendix IV\n\n                                            Outcome Measure\n\nThis appendix presents detailed information on the measurable impact that our recommended\ncorrective actions will have on tax administration. This benefit will be incorporated into our\nSemiannual Report to Congress.\n\nType and Value of Outcome Measure:\n   \xef\x82\xb7    Inefficient Use of Resources \xe2\x80\x93 Potential; $2.2 million (see page 4).\n\nMethodology Used to Measure the Reported Benefit:\nThe IRS had spent $8.6 million over 19 months to develop FRS Release 1.0 before the effort was\nterminated. The IRS informed us that they were able to include most of the functionality\ndeveloped for Release 1.0 with its development of Release 1.1. The IRS originally estimated\n$14.4 million to develop and deploy the FRS. However, the current cost estimate to deploy the\nsystem with Release 1.1 is $8.0 million. This $8.0 million estimate is in addition to the $8.6\nmillion already spent on Release 1.0 for an estimated cost of $16.6 million for the FRS. Based\non current estimated costs for Release 1.1 ($16.6 million) compared to the estimated cost for\nRelease 1.0 ($14.4 million), we identified the potential inefficient use of resources to be\n$2.2 million.\n   Total .....................................................................................................................$2.2 million\n\n\n\n\n                                                                                                                                 Page 19\n\x0c                Foreign Account Tax Compliance Act: Improvements Are\n               Needed to Strengthen Systems Development Controls for the\n                    Foreign Financial Institution Registration System\n\n\n\n                                                                             Appendix V\n\n                          Glossary of Terms\n\nTerm                  Definition\nEnterprise            The IRM 2.15.1.1.2 defines an Enterprise Architecture as a strategic\nArchitecture          information asset base which defines the mission, the information\n                      and technologies necessary to perform the mission, and the\n                      transitional processes for implementing new technologies in\n                      response to the changing needs of the mission. The Enterprise\n                      Architecture will:\n                         \xef\x82\xb7   Capture the current state of the IRS Enterprise in an As-Built\n                             Architecture.\n                         \xef\x82\xb7   Define the desired future state of the IRS Enterprise in a\n                             Target Architecture.\n                         \xef\x82\xb7   Define a plan for getting from the current state to the desired\n                             future state in a Transition Strategy and Release\n                             Architecture.\n                      The IT Organization also posted on its website that the Enterprise\n                      Architecture is defined as the process of translating business vision\n                      and strategy into effective enterprise change by creating,\n                      communicating, and improving the key requirements, principles,\n                      and models that describe the enterprise\xe2\x80\x99s future state and enable its\n                      evolution. The IRS Enterprise Architecture is a tool used by\n                      business and IT managers to plan and manage their investments in\n                      business and technology solutions.\nIntergovernmental     The U.S. Department of the Treasury agreement with foreign\nAgreement             countries to implement the information reporting and withholding\n                      tax provisions of the FATCA via an automatic exchange of\n                      information.\n\n\n\n\n                                                                                     Page 20\n\x0c                  Foreign Account Tax Compliance Act: Improvements Are\n                 Needed to Strengthen Systems Development Controls for the\n                      Foreign Financial Institution Registration System\n\n\n\nTerm                      Definition\n\nIterative Path            An adaptive development approach in which projects start with\n                          initial planning and end with deployment, with repeated cycles of\n                          requirement discovery, development, and testing in between. It is a\n                          more flexible and adaptable process than traditional sequential\n                          development approaches\nLarge Business and        Serves corporations, subchapter S corporations, and partnerships\nInternational Division\xc2\xa0   with assets greater than $10 million. These entities typically have\n                          large numbers of employees, deal with complicated issues involving\n                          tax law and accounting principles, and conduct their operations in\n                          an expanding global environment.\xc2\xa0\nPersonally Identifiable   Information that, either alone or in combination with other\nInformation\xc2\xa0              information, can be used to uniquely identify an individual. Some\n                          examples of Personally Identifiable Information are: name, Social\n                          Security Number, date of birth, place of birth, address, and\n                          biometric record.\xc2\xa0\nRequirement               A formalization of a need; it is the statement of a capability or\n                          condition that a system, subsystem, or system component must have\n                          or meet to satisfy a contract, standard, or specification.\xc2\xa0\nRequirements              A tool that documents requirements and establishes the traceability\nTraceability              relationships between the requirements to be tested and their\nVerification Matrix       associated test cases and test results.\xc2\xa0\nSA-10 Developers          Information system developers implement a configuration\nConfiguration Testing     management process that manages and controls changes to the\n                          system, implements only IRS-approved changes, documents all\n                          approved changes, and tracks security flaws.\xc2\xa0\nSA-11 Developers          Addresses confidentiality, integrity, and availability of the software;\nSecurity Testing          data processed by the system; and resolution of issues that could\n                          result in security vulnerabilities.\xc2\xa0\nSecurity Controls         Security Controls Assessment is conducted in the IRS production\nAssessment Security       environment and consists of activities designed to ensure that the\nTest Plan                 system\xe2\x80\x99s security safeguards are in place and functioning as\n                          intended.\xc2\xa0\nSystem Acceptability      Verifies that the system satisfies software application requirements.\xc2\xa0\nTest\n\n                                                                                          Page 21\n\x0c               Foreign Account Tax Compliance Act: Improvements Are\n              Needed to Strengthen Systems Development Controls for the\n                   Foreign Financial Institution Registration System\n\n\n\nTerm                 Definition\n\nWithholding Agent    A U.S. or foreign person who has control, receipt, custody, disposal,\n                     or payment of any item of income of a foreign person that is subject\n                     to withholding. A withholding agent may be an individual,\n                     corporation, partnership, trust, association, or any other entity,\n                     including any foreign intermediary, foreign partnership, or U.S.\n                     branch of certain foreign banks and insurance companies.\xc2\xa0\n\n\n\n\n                                                                                   Page 22\n\x0c     Foreign Account Tax Compliance Act: Improvements Are\n    Needed to Strengthen Systems Development Controls for the\n         Foreign Financial Institution Registration System\n\n\n\n                                                  Appendix VI\n\nManagement\xe2\x80\x99s Response to the Draft Report\n\n\n\n\n                                                         Page 23\n\x0c Foreign Account Tax Compliance Act: Improvements Are\nNeeded to Strengthen Systems Development Controls for the\n     Foreign Financial Institution Registration System\n\n\n\n\n                                                     Page 24\n\x0c Foreign Account Tax Compliance Act: Improvements Are\nNeeded to Strengthen Systems Development Controls for the\n     Foreign Financial Institution Registration System\n\n\n\n\n                                                     Page 25\n\x0c Foreign Account Tax Compliance Act: Improvements Are\nNeeded to Strengthen Systems Development Controls for the\n     Foreign Financial Institution Registration System\n\n\n\n\n                                                     Page 26\n\x0c Foreign Account Tax Compliance Act: Improvements Are\nNeeded to Strengthen Systems Development Controls for the\n     Foreign Financial Institution Registration System\n\n\n\n\n                                                     Page 27\n\x0c'